Court Kicks Data Breach Claim Against Valve – Grigsby v. Valve

Valve is facing a putative class action over a hacking incident involving a breach of Valve’s security system and access to the personal information of “Steam” users. (See “Valve confirms Steam hack: credit cards, personal info may be stolen.”) This is an unexceptional ruling in a data breach class action: the court dismisses the claims (albeit with leave to amend).

The lawsuit was originally filed in the Central District of California, but the case was transferred to the Western District of Washington based on application of a forum selection clause in the Steam user agreement. The court analyzes the allegations of harm in two different categories:

Allegations of future harm: First, there are allegations of future harm—i.e., plaintiffs said they would have to “spend money to ‘protect their privacy’”. (quotations in original) The court says (citing to Pisciotta and Ruiz v. Gap) that these are not cognizable damages.

Allegations of present harm: The allegations of present harm fall into a few categories: (1) loss of access to Valve’s service; (2) loss of data; and (3) loss of “the benefit of the bargain”. The court says that the present harm allegations do not give rise to the same unique issues and looks instead to the general principles applicable to pleadings, and the standards set forth by the Supreme Court in Iqbal and Twobmly. The court says that Twombly marked a shift, and together the two cases established a more stringent pleading requirement (the complaint must allege facts “with a sufficient level of specificity to raise entitlement to relief above the speculative level”). The court also says that the pleading requirements are particularly important in a putative class action such as this one where the loss of a 12b6 motion opens the door to discovery—that is likely to be resource-intensive and expensive for the defendant. In light of this, the court says: “plaintiffs’ complaint must rise to a higher plausibility threshold than it would if it were a garden-variety tort claim or a claim brought by Mr. Grigsby alone.” The court says that plaintiffs allegations fall “well short”:

[Plaintiffs] say nothing about which services were interrupted, which subscriptions or gaming networks they were unable to access, what data they ‘lost,’ how their data could have been ‘lost’ in this situation, or how they may have lost money by subscribing to Steam, which is free.

Although the court dismisses the complaint, the court gives plaintiffs 30 days leave to amend.

__

Not a surprising result. Courts have invoked Iqbal and Twombly in the past, but I don’t recall courts focusing so much on the discovery burdens imposed by class actions and how this warrants even more stringent pleading standards. This is closely related doctrinally to standing, but it’s just another tool courts have available to put the brakes on privacy class actions.

The plaintiff here does not appear to have suffered any effects from the misuse of his data, and this takes him outside the small category of recent cases where courts have declined to dismiss data breach claims. Any allegations based on diminution in value to plaintiff’s personal data are unlikely to gain any traction. Similarly, any allegations based on alleged deprivation of the benefit of the bargain are also unlikely to gain traction.

The court sends a pretty strong message to the plaintiff that it’s not enthused about his claims and will not let them move forward absent some more concrete allegations and more importantly, harm. We’ll see what the plaintiff comes back with. (The order does not contain any discussion of whether Valve offered standard credit monitoring services, but this obviously bears on the issue of whether plaintiff has cognizable damages.)